747239 – quota_nld runs as initrc_t

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 747239 - quota_nld runs as initrc_t

Summary: quota_nld runs as initrc_t

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	selinux-policy
Sub Component:
Version:	6.2
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Miroslav Grepl
QA Contact:	Michal Trunecka
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	784333 832330
TreeView+	depends on / blocked

Reported:	2011-10-19 08:19 UTC by Milos Malik
Modified:	2014-09-30 23:33 UTC (History)
CC List:	6 users (show)
Fixed In Version:	selinux-policy-3.7.19-136.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Clones:	784333 (view as bug list)
Environment:
Last Closed:	2012-06-20 12:28:00 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
quotanld.te (929 bytes, text/plain) 2011-10-19 10:05 UTC, Milos Malik	no flags	Details
quotanld.fc (75 bytes, text/plain) 2011-10-19 10:05 UTC, Milos Malik	no flags	Details
quotanld.if (795 bytes, text/plain) 2011-10-19 10:06 UTC, Milos Malik	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2012:0780	0	normal	SHIPPED_LIVE	selinux-policy bug fix and enhancement update	2012-06-19 20:34:59 UTC

Description Milos Malik 2011-10-19 08:19:15 UTC

Description of problem:


Version-Release number of selected component (if applicable):
selinux-policy-mls-3.7.19-118.el6.noarch
selinux-policy-doc-3.7.19-118.el6.noarch
selinux-policy-3.7.19-118.el6.noarch
selinux-policy-targeted-3.7.19-118.el6.noarch
selinux-policy-minimum-3.7.19-118.el6.noarch
quota-3.17-16.el6.i686

How reproducible:
always

Steps to Reproduce:
# service quota_nld status
quota_nld is stopped
# service quota_nld start
Starting quota_nld:                                        [  OK  ]
# ps -efZ | grep quota
unconfined_u:system_r:initrc_t:s0 root   15764     1  0 10:17 ?        00:00:00 /usr/sbin/quota_nld
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 root 15767 3942  0 10:17 pts/0 00:00:00 grep quota
# 
  
Actual results:
* quota_nld is running as initrc_t

Expected results:
* quota_nld is running as quota_t or similar domain

Comment 1 Milos Malik 2011-10-19 08:24:11 UTC

Simple workaround caused AVCs:

# chcon -t quota_exec_t `which quota_nld`
# service quota_nld status
quota_nld is stopped
# service quota_nld start
Starting quota_nld: quota_nld: Cannot connect to netlink socket: Operation not permitted
                                                          [FAILED]
# ausearch -m AVC -m USER_AVC -ts today
----
time->Wed Oct 19 10:21:26 2011
type=PATH msg=audit(1319012486.582:35371): item=0 name="/proc/net/psched" inode=4026531984 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0
type=CWD msg=audit(1319012486.582:35371):  cwd="/"
type=SYSCALL msg=audit(1319012486.582:35371): arch=40000003 syscall=5 success=no exit=-13 a0=bfadd8ac a1=0 a2=1b6 a3=d3ac42 items=1 ppid=15811 pid=15812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319012486.582:35371): avc:  denied  { read } for  pid=15812 comm="quota_nld" name="psched" dev=proc ino=4026531984 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Oct 19 10:21:26 2011
type=SOCKETCALL msg=audit(1319012486.586:35372): nargs=3 a0=10 a1=3 a2=10
type=SYSCALL msg=audit(1319012486.586:35372): arch=40000003 syscall=102 success=no exit=-13 a0=1 a1=bfade750 a2=d4c314 a3=20d5a30 items=0 ppid=15811 pid=15812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319012486.586:35372): avc:  denied  { create } for  pid=15812 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----

Comment 2 Milos Malik 2011-10-19 08:36:37 UTC

# setenforce 0
# ls -Z `which quota_nld`
-rwxr-xr-x. root root system_u:object_r:quota_exec_t:s0 /usr/sbin/quota_nld
# service quota_nld status
quota_nld is stopped
# service quota_nld start
Starting quota_nld:                                        [  OK  ]
# ausearch -m AVC -m USER_AVC -ts recent
----
time->Wed Oct 19 10:32:14 2011
type=USER_AVC msg=audit(1319013134.371:35390): user pid=1266 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus member=Hello dest=org.freedesktop.DBus spid=15868 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=dbus : exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
----
time->Wed Oct 19 10:32:14 2011
type=PATH msg=audit(1319013134.283:35381): item=0 name="/proc/net/psched" inode=4026531984 dev=00:03 mode=0100444 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:proc_net_t:s0
type=CWD msg=audit(1319013134.283:35381):  cwd="/"
type=SYSCALL msg=audit(1319013134.283:35381): arch=40000003 syscall=5 success=yes exit=3 a0=bffa9cac a1=0 a2=1b6 a3=328c42 items=1 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.283:35381): avc:  denied  { open } for  pid=15868 comm="quota_nld" name="psched" dev=proc ino=4026531984 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
type=AVC msg=audit(1319013134.283:35381): avc:  denied  { read } for  pid=15868 comm="quota_nld" name="psched" dev=proc ino=4026531984 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Oct 19 10:32:14 2011
type=SYSCALL msg=audit(1319013134.289:35382): arch=40000003 syscall=197 success=yes exit=0 a0=3 a1=bffa9904 a2=8deff4 a3=1900170 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.289:35382): avc:  denied  { getattr } for  pid=15868 comm="quota_nld" path="/proc/15868/net/psched" dev=proc ino=4026531984 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:proc_net_t:s0 tclass=file
----
time->Wed Oct 19 10:32:14 2011
type=SOCKETCALL msg=audit(1319013134.291:35383): nargs=3 a0=10 a1=3 a2=10
type=SYSCALL msg=audit(1319013134.291:35383): arch=40000003 syscall=102 success=yes exit=3 a0=1 a1=bffaab50 a2=33a314 a3=1900a30 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.291:35383): avc:  denied  { create } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKETCALL msg=audit(1319013134.293:35384): nargs=5 a0=3 a1=1 a2=7 a3=bffaab58 a4=4
type=SYSCALL msg=audit(1319013134.293:35384): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bffaab20 a2=33a314 a3=1900a30 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.293:35384): avc:  denied  { setopt } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKADDR msg=audit(1319013134.293:35385): saddr=10000000FC3D000000000000
type=SOCKETCALL msg=audit(1319013134.293:35385): nargs=3 a0=3 a1=1900a30 a2=c
type=SYSCALL msg=audit(1319013134.293:35385): arch=40000003 syscall=102 success=yes exit=0 a0=2 a1=bffaab50 a2=33a314 a3=1900a30 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.293:35385): avc:  denied  { bind } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKADDR msg=audit(1319013134.294:35386): saddr=10000000FC3D000000000000
type=SOCKETCALL msg=audit(1319013134.294:35386): nargs=3 a0=3 a1=1900a30 a2=bffaab7c
type=SYSCALL msg=audit(1319013134.294:35386): arch=40000003 syscall=102 success=yes exit=0 a0=6 a1=bffaab50 a2=33a314 a3=1900a30 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.294:35386): avc:  denied  { getattr } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKADDR msg=audit(1319013134.294:35387): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1319013134.294:35387): nargs=3 a0=3 a1=bffaa988 a2=0
type=SYSCALL msg=audit(1319013134.294:35387): arch=40000003 syscall=102 success=yes exit=20 a0=10 a1=bffaa900 a2=33a314 a3=1900a88 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.294:35387): avc:  denied  { write } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=SOCKADDR msg=audit(1319013134.294:35388): saddr=100000000000000000000000
type=SOCKETCALL msg=audit(1319013134.294:35388): nargs=3 a0=3 a1=bffaa9ac a2=0
type=SYSCALL msg=audit(1319013134.294:35388): arch=40000003 syscall=102 success=yes exit=1148 a0=11 a1=bffaa970 a2=33a314 a3=0 items=0 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.294:35388): avc:  denied  { read } for  pid=15868 comm="quota_nld" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:system_r:quota_t:s0 tclass=netlink_socket
----
time->Wed Oct 19 10:32:14 2011
type=PATH msg=audit(1319013134.295:35389): item=0 name=(null) inode=52170 dev=fd:00 mode=0140777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:system_dbusd_var_run_t:s0
type=SOCKADDR msg=audit(1319013134.295:35389): saddr=01002F7661722F72756E2F646275732F73797374656D5F6275735F736F636B6574
type=SOCKETCALL msg=audit(1319013134.295:35389): nargs=3 a0=4 a1=bffaa91e a2=21
type=SYSCALL msg=audit(1319013134.295:35389): arch=40000003 syscall=102 success=yes exit=0 a0=3 a1=bffaa8e0 a2=617ff4 a3=bffaaa8c items=1 ppid=15867 pid=15868 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.295:35389): avc:  denied  { connectto } for  pid=15868 comm="quota_nld" path="/var/run/dbus/system_bus_socket" scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 tclass=unix_stream_socket
type=AVC msg=audit(1319013134.295:35389): avc:  denied  { write } for  pid=15868 comm="quota_nld" name="system_bus_socket" dev=dm-0 ino=52170 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:system_dbusd_var_run_t:s0 tclass=sock_file
----
time->Wed Oct 19 10:32:14 2011
type=PATH msg=audit(1319013134.386:35391): item=1 name="/var/run/quota_nld.pid" inode=9715 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0
type=PATH msg=audit(1319013134.386:35391): item=0 name="/var/run/" inode=2059 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
type=CWD msg=audit(1319013134.386:35391):  cwd="/"
type=SYSCALL msg=audit(1319013134.386:35391): arch=40000003 syscall=5 success=yes exit=5 a0=1901d18 a1=8241 a2=1b6 a3=da9efb items=2 ppid=1 pid=15871 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013134.386:35391): avc:  denied  { write } for  pid=15871 comm="quota_nld" name="quota_nld.pid" dev=dm-0 ino=9715 scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1319013134.386:35391): avc:  denied  { create } for  pid=15871 comm="quota_nld" name="quota_nld.pid" scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1319013134.386:35391): avc:  denied  { add_name } for  pid=15871 comm="quota_nld" name="quota_nld.pid" scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
type=AVC msg=audit(1319013134.386:35391): avc:  denied  { write } for  pid=15871 comm="quota_nld" name="run" dev=dm-0 ino=2059 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----
# service quota_nld stop
Stopping quota_nld:                                        [  OK  ]
# ausearch -m AVC -m USER_AVC -ts recent
----
time->Wed Oct 19 10:34:49 2011
type=PATH msg=audit(1319013289.598:35392): item=1 name="/var/run/quota_nld.pid" inode=9715 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:var_run_t:s0
type=PATH msg=audit(1319013289.598:35392): item=0 name="/var/run/" inode=2059 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:var_run_t:s0
type=CWD msg=audit(1319013289.598:35392):  cwd="/"
type=SYSCALL msg=audit(1319013289.598:35392): arch=40000003 syscall=10 success=yes exit=0 a0=1900e50 a1=bffaa3fc a2=dad708 a3=1900e50 items=2 ppid=1 pid=15871 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=8 comm="quota_nld" exe="/usr/sbin/quota_nld" subj=unconfined_u:system_r:quota_t:s0 key=(null)
type=AVC msg=audit(1319013289.598:35392): avc:  denied  { unlink } for  pid=15871 comm="quota_nld" name="quota_nld.pid" dev=dm-0 ino=9715 scontext=unconfined_u:system_r:quota_t:s0 tcontext=unconfined_u:object_r:var_run_t:s0 tclass=file
type=AVC msg=audit(1319013289.598:35392): avc:  denied  { remove_name } for  pid=15871 comm="quota_nld" name="quota_nld.pid" dev=dm-0 ino=9715 scontext=unconfined_u:system_r:quota_t:s0 tcontext=system_u:object_r:var_run_t:s0 tclass=dir
----

Comment 3 Miroslav Grepl 2011-10-19 08:55:29 UTC

The only question is if we want to treat it with the quota_t domain type or we will want to create a new type, for example quota_nld_t (which looks for me as the right solution)

Petr,
what does this daemon do?

Comment 4 Milos Malik 2011-10-19 10:05:09 UTC

Created attachment 528964 [details]
quotanld.te

Comment 5 Milos Malik 2011-10-19 10:05:59 UTC

Created attachment 528965 [details]
quotanld.fc

Comment 6 Milos Malik 2011-10-19 10:06:53 UTC

Created attachment 528966 [details]
quotanld.if

Comment 7 Petr Pisar 2011-10-19 11:16:06 UTC

(In reply to comment #3)
> what does this daemon do?
It registers on netlink group for disk quota events and waits for events from kernel. When the daemon receives event (usage exceeded or underrun limit), it can print it to last user's terminal (access to /var/log/utmp is needed and to other users PTYs) or brodcast it via system D-bus (desktop environments can listen for the D-bus event and raise a notification on user's workspace). The daemon also will write into syslog, if something wrong happens (like error while finding terminal or writing into it).

Whether the daemon warns into terminal or/and to D-bus is configurable at execution time (there is a file in /etc/sysconf). See manual page for more details.

Comment 8 Miroslav Grepl 2011-10-19 14:03:19 UTC

Ok, I believe we need to add a new domain for this.

Comment 9 Daniel Walsh 2011-10-19 14:18:38 UTC

Yes although we probably should put this off to 6.3.

Comment 10 Miroslav Grepl 2011-10-19 14:29:36 UTC

(In reply to comment #8)
> Ok, I believe we need to add a new domain for this.

I am adding quota_nld_t policy to Fedora.

Comment 11 Miroslav Grepl 2011-10-19 14:30:04 UTC

(In reply to comment #9)
> Yes although we probably should put this off to 6.3.

Yes, I agree.

Comment 15 Miroslav Grepl 2012-01-26 08:53:20 UTC

Fixed in selinux-policy-3.7.19-136.el6

Comment 18 errata-xmlrpc 2012-06-20 12:28:00 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2012-0780.html

Note You need to log in before you can comment on or make changes to this bug.